Common Weakness Enumeration

CWE-338

Allowed

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Abstraction: Base · Status: Draft

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

293 vulnerabilities reference this CWE, most recent first.

GHSA-PM4F-PGGW-8JWC

Vulnerability from github – Published: 2023-04-27 06:30 – Updated: 2024-04-04 03:42
VLAI
Details

Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-27T05:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.",
  "id": "GHSA-pm4f-pggw-8jwc",
  "modified": "2024-04-04T03:42:41Z",
  "published": "2023-04-27T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31290"
    },
    {
      "type": "WEB",
      "url": "https://blog.ledger.com/Funds-of-every-wallet-created-with-the-Trust-Wallet-browser-extension-could-have-been-stolen"
    },
    {
      "type": "WEB",
      "url": "https://community.trustwallet.com/t/browser-extension-wasm-vulnerability-postmortem/750787"
    },
    {
      "type": "WEB",
      "url": "https://community.trustwallet.com/t/wasm-vulnerability-incident-update-and-recommended-actions/750786"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trustwallet/wallet-core/compare/3.1.0...3.1.1"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/TrustWallet/status/1649699428733947906"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMXQ-4HQC-9HR4

Vulnerability from github – Published: 2025-03-24 18:31 – Updated: 2025-03-24 18:31
VLAI
Details

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-24T16:15:16Z",
    "severity": "HIGH"
  },
  "details": "A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials.",
  "id": "GHSA-pmxq-4hqc-9hr4",
  "modified": "2025-03-24T18:31:01Z",
  "published": "2025-03-24T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26091"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-21-031"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRGJ-H7JQ-7P9H

Vulnerability from github – Published: 2023-08-09 03:30 – Updated: 2024-04-04 06:43
VLAI
Details

The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from "bx seed" entropy output and steal funds. (Affected users need to move funds to a secure new cryptocurrency wallet.) NOTE: the vendor's position is that there was sufficient documentation advising against "bx seed" but others disagree. NOTE: this was exploited in the wild in June and July 2023.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-09T03:15:44Z",
    "severity": "HIGH"
  },
  "details": "The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from \"bx seed\" entropy output and steal funds. (Affected users need to move funds to a secure new cryptocurrency wallet.) NOTE: the vendor\u0027s position is that there was sufficient documentation advising against \"bx seed\" but others disagree. NOTE: this was exploited in the wild in June and July 2023.",
  "id": "GHSA-prgj-h7jq-7p9h",
  "modified": "2024-04-04T06:43:16Z",
  "published": "2023-08-09T03:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libbitcoin/libbitcoin-explorer/blob/20eba4db9a8a3476949d6fd08a589abda7fde3e3/src/commands/seed.cpp#L44"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libbitcoin/libbitcoin-explorer/blob/20eba4db9a8a3476949d6fd08a589abda7fde3e3/src/utility.cpp#L78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libbitcoin/libbitcoin-explorer/wiki/CVE-2023-39910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libbitcoin/libbitcoin-system/blob/a1b777fc51d9c04e0c7a1dec5cc746b82a6afe64/src/crypto/pseudo_random.cpp#L66C12-L78"
    },
    {
      "type": "WEB",
      "url": "https://milksad.info/disclosure.html"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=37054862"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRR9-FCGF-VPXX

Vulnerability from github – Published: 2026-02-27 00:31 – Updated: 2026-02-27 21:31
VLAI
Details

Apache::SessionX versions through 2.01 for Perl create insecure session id.

Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T00:16:55Z",
    "severity": "HIGH"
  },
  "details": "Apache::SessionX versions through 2.01 for Perl create insecure session id.\n\nApache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.",
  "id": "GHSA-prr9-fcgf-vpxx",
  "modified": "2026-02-27T21:31:21Z",
  "published": "2026-02-27T00:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40932"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/GRICHTER/Apache-SessionX-2.01/source/SessionX/Generate/MD5.pm#L29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRWJ-528C-65R9

Vulnerability from github – Published: 2022-05-17 03:46 – Updated: 2025-10-06 18:31
VLAI
Details

OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-2362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-07-24T14:55:00Z",
    "severity": "HIGH"
  },
  "details": "OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.",
  "id": "GHSA-prwj-528c-65r9",
  "modified": "2025-10-06T18:31:01Z",
  "published": "2022-05-17T03:46:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2362"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-202-01a"
    },
    {
      "type": "WEB",
      "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-202-01"
    },
    {
      "type": "WEB",
      "url": "http://support.oleumtech.com"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/68797"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/68800"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q3GC-45GM-V55M

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2025-04-20 03:31
VLAI
Details

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-15T02:59:00Z",
    "severity": "HIGH"
  },
  "details": "wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.",
  "id": "GHSA-q3gc-45gm-v55m",
  "modified": "2025-04-20T03:31:14Z",
  "published": "2022-05-13T01:46:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5493"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4"
    },
    {
      "type": "WEB",
      "url": "https://codex.wordpress.org/Version_4.7.1"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/8721"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3779"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/01/14/6"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95401"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037591"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3JG-4C82-J4XH

Vulnerability from github – Published: 2018-11-29 21:30 – Updated: 2022-09-14 22:09
VLAI
Summary
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Pivotal CredHub Service Broker
Details

Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.credhub:spring-credhub-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-15795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:43Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker\u0027s UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.",
  "id": "GHSA-q3jg-4c82-j4xh",
  "modified": "2022-09-14T22:09:19Z",
  "published": "2018-11-29T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15795"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-q3jg-4c82-j4xh"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2018-15795"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105915"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Pivotal CredHub Service Broker"
}

GHSA-Q46Q-P96M-RVH8

Vulnerability from github – Published: 2025-09-22 18:30 – Updated: 2025-09-22 18:30
VLAI
Details

Starch versions 0.14 and earlier generate session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-20T13:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "Starch versions 0.14 and earlier generate session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.",
  "id": "GHSA-q46q-p96m-rvh8",
  "modified": "2025-09-22T18:30:34Z",
  "published": "2025-09-22T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bluefeet/Starch/pull/5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bluefeet/Starch/commit/5573449e64e0660f7ee209d1eab5881d4ccbee3b.patch"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/dist/Starch/source/lib/Starch/Manager.pm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8FC-V85F-78PW

Vulnerability from github – Published: 2024-05-29 13:09 – Updated: 2024-05-29 13:09
VLAI
Summary
stormpath/sdk uses Insecure Random Number Generator
Details

The vulnerability pertains to the usage of an insecure random number generator (RNG) in the "stormpath-sdk-php" library. Specifically, the issue is present in the generation of UUID (Universally Unique Identifier) version 4 within the codebase.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "stormpath/sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-29T13:09:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The vulnerability pertains to the usage of an insecure random number generator (RNG) in the \"stormpath-sdk-php\" library. Specifically, the issue is present in the generation of UUID (Universally Unique Identifier) version 4 within the codebase.\n",
  "id": "GHSA-q8fc-v85f-78pw",
  "modified": "2024-05-29T13:09:29Z",
  "published": "2024-05-29T13:09:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stormpath/stormpath-sdk-php/issues/132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/stormpath/sdk/2017-11-20.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stormpath/stormpath-sdk-php"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stormpath/stormpath-sdk-php/blob/15aee3007b8aa41c20cdf28fd650b8a2368a7fa9/src/Util/UUID.php#L167-L181"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stormpath/stormpath-sdk-php/blob/62698ea98ef89217f932e28cf3e511d39af3b4cf/src/Authc/Api/ApiKeyEncryptionOptions.php#L48-L50"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "stormpath/sdk uses Insecure Random Number Generator"
}

GHSA-Q96M-53G6-X5C4

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2022-10-13 12:00
VLAI
Details

SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses insecure random number generator program which makes it easy for the attacker to predict future random numbers. This can lead to information disclosure and modification of certain user settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-11T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses insecure random number generator program which makes it easy for the attacker to predict future random numbers. This can lead to information disclosure and modification of certain user settings.",
  "id": "GHSA-q96m-53g6-x5c4",
  "modified": "2022-10-13T12:00:27Z",
  "published": "2022-10-12T12:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41210"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3248384"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

No CAPEC attack patterns related to this CWE.